Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@digitak/esrun
Advanced tools
esrun is a "work out of the box" library to execute Typescript (as well as modern Javascript with decorators and stuff) without having to use a bundler. This is useful for quick demonstrations or when launching your tests written in Typescript.
This library is a thin wrapper around esbuild which compiles Typescript almost instantly.
The harder work to run typescript is to deal with dependencies. For example, you may need to import other Typescript files, but also libraries written in Javascript and using either the CJS or the ESM format. All these use cases should be considered.
esrun is able to handle all the annoying stuff and make things work as you would expect.
Install the library globally with your favorite package manager:
npm i -g @digitak/esrun
Then you can execute any Typescript file in the same way Node would execute a Javascript file:
esrun foo.ts
You can pass arguments like any process:
esrun foo.ts --option=bar --verbose -S
All file dependencies will be bundled and executed as well.
External module dependencies won't be bundled, it's up to the node
engine to resolve dependencies.
Install the library locally with your favorite package manager.
npm i -D @digitak/esrun
Then you can use it in your package.json
scripts:
{
"scripts": {
"test": "esrun test"
}
}
Running npm run test
will run the first file that exists in the following list:
/test.ts
/test/index.ts
/test/test.ts
/test/main.ts
/test.js
/test/index.js
/test/test.js
/test/main.js
You can also execute esrun in watch mode.
In watch mode, your file will automatically be re-executed every time itself or one of its dependencies is updated.
esrun --watch foo.ts
The
--watch
(or-w
) option must be placed before the path of the file to execute. If you place it after the file path, it will be passed as an argument tofoo.ts
instead.
This feature is very useful when you are doing test-driven development. You can just run esrun --watch test.ts
and enjoy a live output of your changes right into your console.
You can also execute esrun in inspect mode.
When run in inspect mode, your code will be connected to the Webkit DevTools to benefit the power of the browser console instead of the terminal console.
First, run your program in inspect mode:
esrun --inspect foo.ts
Then open about:inspect
in a Chrome / Brave / Edge browser. You should see your program running in the Remote targets section.
Click on Open dedicated DevTools for Node
and enjoy the browser console for your back-end program.
In case of troubleshooting, read the node documentation.
Inspect and watch mode are alas not compatible yet.
If you import a CJS module (like the typescript
library itself), it's likely that you will need to set the esModuleInterop flag in your tsconfig.json
file:
{
"compilerOptions": {
"esModuleInterop": true
}
}
This will suppress the import errors from the Typescript compiler and allow you to write import ts from "typescript"
instead of import * as ts from "typescript"
- the latest syntax being not standard ESM.
If the given entry point is a directory, the following actions will be executed in order to find the right entry file:
main
field. The entry file will be the value of the main
field, relative to the package.json directory.index.ts
file exists in the given directory..ts
extension exists in the given directory.main.ts
file exists in the given directory.index.js
file exists in the given directory..js
extension exists in the given directory.main.js
file exists in the given directory.The library exports a single function that you can use to programmatically execute a Typescript file.
import esrun from '@digitak/esrun'
esrun(filePath: string, argv: string[], watch = false): unknown
FAQs
Execute directly your Typescript files using Esbuild
The npm package @digitak/esrun receives a total of 9,451 weekly downloads. As such, @digitak/esrun popularity was classified as popular.
We found that @digitak/esrun demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.